[AC-1389] [AC-1919] Only require CanManage permission when admins cannot access all items (#3530)

* move this error behind the Flexible Collections v1 flag instead of MVP * only enforce this requirement if organization.allowAdminAccessToAllCollectionItems is false --------- Co-authored-by: Thomas Rittson <trittson@bitwarden.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
2025-06-30 07:36:14 -05:00 · 2024-01-04 20:56:59 -05:00
parent 061253e428
commit c553ec6aa0
2 changed files with 8 additions and 7 deletions
--- a/src/Core/Services/Implementations/CollectionService.cs
+++ b/src/Core/Services/Implementations/CollectionService.cs
@ -43,9 +43,6 @@ public class CollectionService : ICollectionService
        _featureService = featureService;
    }

-    private bool UseFlexibleCollections =>
-        _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
-
    public async Task SaveAsync(Collection collection, IEnumerable<CollectionAccessSelection> groups = null,
        IEnumerable<CollectionAccessSelection> users = null)
    {
@ -59,11 +56,11 @@ public class CollectionService : ICollectionService
        var usersList = users?.ToList();

        // If using Flexible Collections - a collection should always have someone with Can Manage permissions
-        if (UseFlexibleCollections)
+        if (_featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1, _currentContext))
        {
            var groupHasManageAccess = groupsList?.Any(g => g.Manage) ?? false;
            var userHasManageAccess = usersList?.Any(u => u.Manage) ?? false;
-            if (!groupHasManageAccess && !userHasManageAccess)
+            if (!groupHasManageAccess && !userHasManageAccess && !org.AllowAdminAccessToAllCollectionItems)
            {
                throw new BadRequestException(
                    "At least one member or group must have can manage permission.");
@ -125,7 +122,10 @@ public class CollectionService : ICollectionService
        }
        else
        {
-            var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value, UseFlexibleCollections);
+            var collections = await _collectionRepository.GetManyByUserIdAsync(
+                _currentContext.UserId.Value,
+                _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext)
+            );
            orgCollections = collections.Where(c => c.OrganizationId == organizationId);
        }